| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024082136-CVE-2024-43871-c2cd@gregkh> Date: Wed, 21 Aug 2024 08:07:35 +0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-43871: devres: Fix memory leakage caused by driver API devm_free_percpu() Description =========== In the Linux kernel, the following vulnerability has been resolved: devres: Fix memory leakage caused by driver API devm_free_percpu() It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). The Linux kernel CVE team has assigned CVE-2024-43871 to this issue. Affected and fixed versions =========================== Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 4.19.320 with commit 700e8abd65b1 Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 5.4.282 with commit b044588a16a9 Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 5.10.224 with commit ef56dcdca8f2 Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 5.15.165 with commit 3047f99caec2 Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 6.1.103 with commit 3dcd0673e476 Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 6.6.44 with commit b67552d7c61f Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 6.10.3 with commit 95065edb8ebb Issue introduced in 4.10 with commit ff86aae3b411 and fixed in 6.11-rc1 with commit bd50a974097b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-43871 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/base/devres.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/700e8abd65b10792b2f179ce4e858f2ca2880f85 https://git.kernel.org/stable/c/b044588a16a978cd891cb3d665dd7ae06850d5bf https://git.kernel.org/stable/c/ef56dcdca8f2a53abc3a83d388b8336447533d85 https://git.kernel.org/stable/c/3047f99caec240a88ccd06197af2868da1af6a96 https://git.kernel.org/stable/c/3dcd0673e47664bc6c719ad47dadac6d55d5950d https://git.kernel.org/stable/c/b67552d7c61f52f1271031adfa7834545ae99701 https://git.kernel.org/stable/c/95065edb8ebb27771d5f1e898eef6ab43dc6c87c https://git.kernel.org/stable/c/bd50a974097bb82d52a458bd3ee39fb723129a0c
Powered by blists - more mailing lists